Hey Guys, I have been running the latest OSSEC 2.83 with a Wazuh fork upgrade. I have performed the Wazuh auto update with the .py script. All works well, thanks guys.
I have simply noticed recently that I can not make use of my favorite sysmon based correlations because I am not able to see events with all the valid information fields like image, hash, network connection..... I am assuming the rules for sysmon is only parsing certain events and making certain data from those event as available for the alert. How can I see all my information fields stated above in the Sysmon alerts that fire? What I do see is Sysmon suspicious file -svchost.exe alert firing a lot on a multicast address. No hash. Has the hash field been ignored in a rule? Do I need to make a rule to just grab more fields and report? Thanks Guys, I appreciate your expert advise. :-) --Rob -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
